Advent Of Cyber 2 Day-4

Hello everyone,Let’s solve TryHackMe Advent Of cyber Day-4 Stuff.It’s very easy to solve.So let’s begin.

Ok this is how the webpage looks like.But there is nothing here. So let’s check for the hidden directories.I’m using dirbuster to bruteforce the directories.

We’ve found some folder and some files.We have a folder named /api.So let’s check the folder.

So we’ve a php file ‘site-log.php’.let’s open this file.

We got nothing to do with.In php we’ll use some parameters to get the data.So as they mentioned that ‘api creates the logs using dates’. So now we have a date parameter.But we don’t the exactly what date it is.So we are going to create a wordlist in the order “YYYYMMDD”.i’m going to write a simple python script to create the wordlist.

I’ve written this code to create a wordlist for the year 2020.So this script will create a pass.txt file and we’ll use that file to fuzz the date parameter.I’m going to fuzz the date parameter with burpsuite.You can also use Wfuzz but wfuzz is not working in my machine so i’ve decided to use burpsuite.

First open the burpsuite and send the request header to the intruder and add ‘?date=xxx’to the url and add the fuzzing point

and go to the payloads and load the pass.txt wordlist that we’ve created before.

After loading the wordlist.start the attack Now it will take some time.if u are using free subscription divide the wordlist into two parts.

Yes we’ve got one valid date.the length of the data packet is a little bit bigger than the others so let’s try this in the browser.

Ok we got the flag and submit the flag.

we’ve Successfully completed the Day-4

follow for more………..

instagram:https://www.instagram.com/sampath.pendurthi/

github:https://github.com/LetMeHackYou/

LinkedIN:https://www.linkedin.com/in/sampath-pendurthi-1313a3184/

PEACE…✌️